Scribd
Upload
59 views

60-Objects Tab

- Objects in Palo Alto firewalls are configuration elements used to simplify rule definitions. Common object types include IP addresses, URLs, applications, services, and tags. - Address, service, and tag objects can be added individually or grouped into object groups. Region and schedule objects are also available for defining policy filters and scope. - When defining objects, settings include the object name, type of addresses, ports, or tags included, and optional description. Objects are then available for selection when creating security policies and rules.

Uploaded by

Arun Somashekar
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
59 views

60-Objects Tab

- Objects in Palo Alto firewalls are configuration elements used to simplify rule definitions. Common object types include IP addresses, URLs, applications, services, and tags. - Address, service, and tag objects can be added individually or grouped into object groups. Region and schedule objects are also available for defining policy filters and scope. - When defining objects, settings include the object name, type of addresses, ports, or tags included, and optional description. Objects are then available for selection when creating security policies and rules.

Uploaded by

Arun Somashekar
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Objects Tab:

o Palo Alto Firewall, Object is a container that groups specific policy filter values.
o Example of Object are such as IP addresses, URLs, applications, or services etc.
o Palo Alto Network Firewall, the Object are used for simplified rule definition.
o Address object might contain specific IP address definitions for web in DMZ zone.
o Palo Alto Firewall is Object Based device where Objects are configuration elements.

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Objects > Addresses:
o Just like all other firewalls , Palo Alto Networks Firewall supports Address objects.
o Address object include an IPv4 or IPv6 address (single IP, range, & Subnet) or FQDN.
o Allows to reuse same object as a source or destination address across all the policy.
o Allows to reuse the same object without having to add it manually each & every time.

Settings Description
Name Enter name describes the addresses you will include as part of this object.
Description Enter a description for the object.
Type Specify an IPv4 or IPv6 address or address range, or an FQDN.
IP Netmask:
Examples:
192.168.80.150/32—Indicates one address.
192.168.80.0/24—all addresses from 192.168.80.0 through 192.168.80.255.
IP Range:
Enter a range of addresses using the following format:
ip_address-ip_address
192.168.80.100-192.168.80.200
where both ends of the range are IPv4 addresses or both are IPv6 addresses.
FQDN:
To specify an address using the FQDN, select FQDN and enter the domain
name. The FQDN is resolved by the system DNS server or DNS Proxy object.
Resolve After selecting the address type and entering an IP address or FQDN,
click Resolve to see the associated FQDN or IP addresses.
Tags Select or enter the tags that you wish to apply to this address object.

2 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Objects > Address Groups:
Address Group simplify the creation of security policies, addresses that require the same
security settings can be combined into address groups.
Static Address Groups:
A static address group can include address objects that are static, dynamic address groups, or it
can be a combination of both address objects and dynamic address groups.
Dynamic Address Groups:
A dynamic address group populates its members dynamically using looks ups for tags and tag-
based filters.
To create an address group, click Add and fill in the following fields.

Settings Description
Name Enter a name that describes the address group.
Description Enter a description for the object.
Type Select Static or Dynamic.
Addresses For static address group, click Add & select one or more Addresses. Click Add
to add an object or an address group to the address group. The group can
contain address objects.
Tags Select or enter the tags that you wish to apply to this address group.

3 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Go to Object > Address Groups>Add to add Object Groups.

Click the Add button to add Address objects or address Group, alternatively, click on Browse
button to open a new window from there click on plus sign to add address objects. If want to
add Address Group, then click on Address Group tab to add.

Objects > Regions:


o Firewall supports creation of policy rules that apply to specified countries or other regions.
o Region is available as an option when specifying source & destination for security policies.
o Region is also available as an option in the decryption policies, and DoS policies.

4 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Objects > Services:
o Define security policies for specific applications, can select one or more services.
o This Service Object is used to limit the port numbers the applications can use.
o The default service is any, which allows all TCP and UDP ports from 1 to 65535.
o The HTTP & HTTPS services are predefined but can add additional service definitions.
o On firewall web interface navigate to Objects > Services. Click on Add to bring up dialog.

o For TCP or UDP service, configure the timeout values to "Inherit from application"
o For TCP or UDP service also can be set the timeout values by using "Override".
o Click OK to add the service and click commit to save & apply the configuration.
o Now can reference the newly added service when configuring the security policy.

5 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Settings Description
Name Enter the service name. This name appears in the services list when defining
security policies.
Description Enter a description for the service.
Protocol Select the protocol used by the service (TCP, UDP, or SCTP). Can specify SCTP
(Voice) if have enabled SCTP (Device > Setup > Management).
Destination Enter destination port number (0 to 65535) or range of port numbers.
Port Multiple ports or ranges must be separated by commas & destination port is
required.
Source Port Enter the source port number (0 to 65535) or range of port numbers. Multiple
ports or ranges must be separated by commas & source port is optional.
Session Define the session timeout for the service:
Timeout Inherit from application (default)—No service-based timeouts are applied.
Override—Define a custom session timeout for the service. Continue to
populate the TCP Timeout, TCP Half Closed, and TCP Wait Time fields.
TCP Set the maximum length of time in seconds that a TCP session can remain
Timeout open after data transmission has started. When this time expires, the session
closes. Range is 1 - 604800. Default value is 3600 seconds.
TCP Half Set the maximum length of time in seconds that a session remains open when
Closed only one side of the connection has attempted to close the connection.
Range is 1 - 604800. Default value is 120 seconds.
TCP Wait Set the maximum length of time in seconds that a session remains open after
Time receiving the second of the two FIN packets required to terminate a session,
or after receiving an RST packet to reset a connection. When the timer
expires, the session closes. Range is 1 - 600. Default value is 15 seconds.

6 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Objects > Service Groups:
To simplify the creation of security policies, you can combine services that have the same
security settings into service groups. Go to Objects > Services Groups, and then click the Add
button at the bottom of the screen. create a Service Group named Web-Services.
Click the Add button to add the Web-services to the group. Select and add all services.

Settings Description
Name Enter the service group name.
Service Click Add to add services to the group. Select from the drop-down or
click Service at the bottom of the drop-down and specify the settings.

7 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Objects > Tags:
o Object Tags to create a tag, assign a color, delete, rename, and clone tags.
o Tags can be used to sort, or filter objects, & visually distinguish object have color.
o When color is applied to a tag, Policies tab displays the object with background color.
o Tags applied to address objects, groups, zones, services, service groups & policy rules.
o Go to Objects > Tags, and then click the Add button at the bottom of the screen.
o Color value of the tag object can be selected from color palette of predefined colors.
o Predefined colors only, cannot create custom colors, multiple tags can use same color.
o If an item has multiple tags with different colors, then first tag color will be displayed.
o Configuration logs are generated for add/edit/delete of tag objects and setting of tags.
o Palo Alto network Firewall, tag objects has three fields: Name, Color and Comments.

o Go to Objects > Tags, and then click the Add button at the bottom of the screen.

Tag Settings Description


Name Enter a unique tag name, the name is not case-sensitive.
Color Select color from color palette in drop-down. The default value is None.
Comments Add a label or description to remind you what the tag is used for.

8 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


Objects > Schedules:
o In PA Firewall by default, Security policy rules are always in effect all dates and times.
o To limit a Security policy in firewall rule to specific times, you can define schedules.
o After, define schedules, can then apply them to the appropriate policies in action tab.
o you can specify a fixed date and time range or a recurring daily or weekly schedule.
o Go to Objects > Schedules, and then click the Add button at the bottom of the screen.

Settings Description
Name Enter a schedule name. This name appears in the schedule list when
defining security policies.
Recurrence Select the type of schedule (Daily, Weekly, or Non-Recurring).
Daily Click Add and specify a Start Time and End Time in 24-hour format
(HH:MM).
Weekly Click Add, select a Day of Week, and specify the Start Time and End Time in
24-hour format (HH:MM).
Non-recurring Click Add and specify a Start Date, Start Time, End Date, and End Time.

9 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


On the WebGUI go to Policies > Security > Security Policy Rule > Schedule > Actions

Let’s create a Schedule Object for Twitter named: Twitter-Schedule, Recurrence: Daily, Start
Time: 2PM and End Time: 11:30PM

go to Policies > Security > Security Policy Rule > Schedule > Actions to apply

10 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717


After 2PM till 11:30PM night Twitter application or URL will be blocked.

Before 2PM it will work.

11 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

You might also like